TDSS botnet: full disclosure
(Publication) Google search: [1]
TDSS botnet: full disclosure | |
---|---|
Botnet | TDSS |
Malware | |
Botnet/malware group | |
Exploit kits | |
Services | |
Feature | |
Distribution vector | |
Target | |
Origin | |
Campaign | |
Operation/Working group | |
Vulnerability | |
CCProtocol | |
Date | 2012 / 2012-03-17 |
Editor/Conference | Esage Lab |
Link | http://nobunkum.ru/analytics/en-tdss-botnet nobunkum.ru (nobunkum.ru Archive copy) |
Author | Andrey Rassokhin, Dmitry Oleksyuk |
Type |
Abstract
“ TDSS is a wide-spread rootkit which forms a powerful botnet. TDSS is studied pretty well today. Howewer, no studies include anything beyond analysis of binary code and common attack vectors. Main goal of this article is to fill this gap in the IT security knowledge base by uncovering the TDSS botnet mechanisms.
Also, we are humbly hoping to benefit to the existing computer crimes investigation methodology. This research shows a generic way to locate the “digital core” of a cyberband, having only their instrument (a malicious binary file). Pease note that this method makes it possible to find all technical info about an incident, while personal identification and prosecution of intruders remains in law-enforcement authorities sphere.
The article consists of two parts. In the first part the process of breaking into the botnet is covered step-by-step. The second part is dedicated to analysis of the botnet’s inner details. Because we gained access to the C&C database, objective statistics of the botnet is included at the end of the article.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR1259, editor = {Esage Lab}, author = {Andrey Rassokhin, Dmitry Oleksyuk}, title = {TDSS botnet: full disclosure}, date = {17}, month = Mar, year = {2012}, howpublished = {\url{http://nobunkum.ru/analytics/en-tdss-botnet nobunkum.ru}}, }